Are there any performance statistics on the number of deployment clients a single deployment server can handle.
I believe this is a bit of a moving target, as the scalability of the deployment server is improved.
I certainly know of situations where a single deployment server was responsible for a few hundred clients, but many might be desktops or systems that are not always on.
The pollFrequency specified on the client correlates quite directly with the amount of load per client, so this can be reduced in larger implementations, especially for forwarders which probably don't need rapid reconfiguration.
As the number of active clients rises into range of 200 or more, I would recommend breaking out the server to a seperate splunkd, or possible several. This is guesswork. Please edit or correct this post as harder numbers emerge.
We are running 2500 + on a single DPL, never goes above 5% CPU / 3gb ram
phoneHomeIntervalInSecs = 600
I am experiencing an unresponsive splunkd with an indexer instance and a deployment server instance on the same box. It was working well at 700-800 forwarders, but when we went to about 1000 it stopped working. All forwarders are connecting to both the DS instance and the indexer to send data over SSL.
By unresponsive, I mean splunkd will respond to requests (from clients, from ./splunk list deploy clients, from ./splunk login) for a few seconds every couple of minutes.
Hardware is 16x2.4Ghz cores, 48GB memory, running Suse Linux 11.0.
I believe this is a bit of a moving target, as the scalability of the deployment server is improved.
I certainly know of situations where a single deployment server was responsible for a few hundred clients, but many might be desktops or systems that are not always on.
The pollFrequency specified on the client correlates quite directly with the amount of load per client, so this can be reduced in larger implementations, especially for forwarders which probably don't need rapid reconfiguration.
As the number of active clients rises into range of 200 or more, I would recommend breaking out the server to a seperate splunkd, or possible several. This is guesswork. Please edit or correct this post as harder numbers emerge.
We'd like to hear back from you! Please consider answering this question with your experience after a week or two.
My deployment server just went live and is managing almost 2k hosts. I just used my search head that has a few extra cores than the reference architecture.